Path accused of violating user privacy... again

Right after settling with the FTC, Path photos found being geotagged without permission

On the same day that Path finally settled a year-long battle with the Federal Trade Commission over violationing user privacy by uploading information from users contact lists, the social network was, yet again, accused of storing information about its users without their permission.

Security researcher Jeffrey Paul accused Path of still geotagging the pictures of its users, even if they disabled location data, In a blogpost on Friday. This means that, even if a user does not want Path, or anyone else to know where they are, Path will simply reveal that information anyway by putting a location on the photo.

"If you disable location services for an app, for example, a photo-sharing app or social network, yet take a photo every day (using the Camera app) and then later use that same application (which you have not granted access to your position) to upload that photo, the OS should prohibit the application from detecting your location via the EXIF information in that photo," Paul wrote. "Otherwise, the app will still have your location on a regular basis, despite the clear opposite intent being expressed by the user (through the disabling of location services for that particular app). This seems pretty clear to me."

The blogpost did not go unnoticed. Dylan Casey, the Product Manager at Path, wrote the following comment on Paul's blog:

"Hey Jeffery, thanks for alerting us to this. We take user privacy very seriously here at Path. Here is what we have discovered and how we are responding:

1. We were unaware of this issue and have implemented a code change to ignore the EXIF tag location.2. We have submitted a new version with this fix to the App Store for approval.3. We have alerted Apple about the concerns you’ve outlined here and will be following up with them.

One note to clarify: If a Path user had location turned off and an image was taken with the Path camera, Path does not have the location data. This only affected photos taken with the Apple Camera and imported into Path."

Casey seems to be putting the blame for this incident onto Apple and it does not seem as though Path was purposely trying to go against the wishes of its userbase. At the same time, this would been to be a problem that many apps would run into, and it is surprising that nobody seemed to be aware of it until now. You have to wonder how many other apps with geotagging features are now finding out that Apple is tagging the pictures of their users, even if they were told not to.

The updated Path app was approved Friday afternoon, and can now be downloaded from the App Store.

Privacy issues at Path

The fact that Path photos were being geotagged, despite their explicit instructions not to do so, would probably not be as big of a story if Path did not have a history of collecting data from its users without their consent.

In February 2011, Path found itself in trouble for uploading the contact list of its iPhone users without permission. The FTC accused Path of automatically collecting and storing information about that person's contacts even if the user did not tell the app to collect any info from its contact. Path was also accused of lying to consumers about what type of data was automatically collected and for violating Children’s Online Privacy Protection Act (COPPA) Rule by collecting information about children 13 and younger without their parents permission. It also violated the rule by not specifically disclosing its policy regarding the collection of the information of children, and not providing the parents of those children with that policy.

The case was finally settled Friday, with Path agreeing to pay a $800,000 fine. The social network is also being forced to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years.

While Path quickly fixed the geotagging problem Friday, the fact that it once again found itself being accused of not respecting the privacy of its users cannot be good for the app's reputation. The social network has to be hoping that issues like this do not keep cropping up, or else people might just become fed up and find an app that does not continuously violate their privacy.